Firewall NAT
A firewall operates on router to protect local network, It can handle NAT

A Network Address Translation (NAT) firewall operates on a router to protect private networks. It works by only allowing internet traffic to pass through if a device on the private network requested it. A NAT firewall protects the identity of a network and doesn’t show internal IP addresses to the internet.

This is because, when connected to the internet, your router is assigned a single public IP address. It’s visible to the wider net and is needed to communicate with web servers. Any devices connected to the router locally have private IP addresses, which do not allow them to directly ‘communicate’ with the required web servers. This is where NAT comes into play – it directs traffic back and forth.

It is very common to combine Firewall with NAT in Mikrotik. So, a NAT is a rule in a firewall and has plenty of options.

Masquerade

Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example, DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.

Every time the interface disconnects and/or its IP address changes, the router will clear all masqueraded connection tracking entries that send packets out that interface, this way improving system recovery time after a public IP address change.

Unfortunately, this can lead to some issues when action=masquerade is used in setups with unstable connections/links that get routed over the different links when the primary is down. In such a scenario following things can happen:

  • on disconnect, all related connection tracking entries are purged;
  • next packet from every purged (previously masqueraded) connection will come into a firewall as connection-state=new, and, if a primary interface is not back, a packet will be routed out via an alternative route (if you have any) thus creating a new connection;
  • primary link comes back, routing is restored over the primary link, so packets that belong to existing connections are sent over the primary interface without being masqueraded leaking local IPs to a public network.

You can work around this by creating a blackhole route as an alternative to a route that might disappear on disconnect).

When action=srcnat is used instead, connection tracking entries remain and connections can simply resume.

Firewall NAT
DPQ, Mostafa Barmshory 16 November, 2021
Share this post
Sign in to leave a comment
Network Address Translation
A standard that allows hosts on a local area network to use another set of IP addresses